----- "David Lutterkort" <lutter(a)redhat.com&gt; wrote: Thanks for the tip. [root@localhost ~]# NETCF_DEBUG=1 ncftool warning: augeas initialization had errors please file a bug with the following lines in the bug report: /augeas/files/etc/sysconfig/iptables/error = "parse_failed" /augeas/files/etc/sysconfig/iptables/error/pos = "0" /augeas/files/etc/sysconfig/iptables/error/line = "1" /augeas/files/etc/sysconfig/iptables/error/char = "0" /augeas/files/etc/sysconfig/iptables/error/lens = "/usr/share/augeas/lenses/dist/iptables.aug:59.10-.32" /augeas/files/etc/sysconfig/iptables/error/message = "Iterated lens matched less than it should" Failed to initialize netcf error: unspecified error error: errors in loading some config files [root@localhost sysconfig]# cat iptables *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A INPUT -m limit --limit-burst 10 --limit 6/minute -j LOG --log-level 6 -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT -m comment --comment "Forwarding for VM bridges" -A FORWARD -m limit --limit-burst 10 --limit 6/minute -j LOG --log-level 6 -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT I also discovered that after no changes to any configurations, a restart of the network makes ncftool/augeas happy. [root@localhost sysconfig]# service network restart Shutting down interface eth0: [ OK ] Shutting down loopback interface: [ OK ] Disabling IPv4 packet forwarding: net.ipv4.ip_forward = 0 [ OK ] Bringing up loopback interface: [ OK ] Bringing up interface eth0: Determining IP information for eth0... done. [ OK ] [root@localhost ~]# iptables -L -n|grep PHYS ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-is-bridged /* Forwarding for VM bridges */ [root@localhost sysconfig]# NETCF_DEBUG=1 ncftool ncftool> If I reboot, ncftool is broken again, with the same error, until a network restart. Note the following line in iptables: -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT -m comment --comment "Forwarding for VM bridges" If I comment out that entire line with a #, I'm somewhat surprised when I run ncftool, to see iptables restart and this line is deleted. [root@localhost sysconfig]# NETCF_DEBUG=1 ncftool iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ] ncftool> quit I found that if I remove '-m comment --comment "Forwarding for VM bridges"' then ncftool is happy, even after a fresh reboot. So, perhaps it's an augeas bug with the comment module in iptables? It does seem odd that even with this line present, ncftool does work if I restart the network service.